on Wed, Feb 08, 2006 at 02:38:29PM -0500, Tom Clark (tclark@requisitesystems.com) wrote:
> On a LUG mailing list to which I subscribe, I enjoy the regular postings
> of another subscriber who works primarily with Windows. She seems to
> make a point of posting a message whenever she encounters a non-Windows
> system that has a security issue. While I'm sure she means well, the
> messages seem to have a "You Linux geeks think you're all that, but
> you're not!" tone. She never seems to post about problems with Windows
> systems, but then again, how could she find the time?
It's a fair point that GNU/Linux has its security vulnerabilities. Some
of these affect the kernel directly, but the vast majority are systems
software and/or configurations settings, many of which are not specific
to any one distro or even GNU/Linux itself.
> This is really just a minor annoyance, but I am struck by the failure of
> this person to get Linux. Her point of view has been so strongly shaped
> by Windows use that she just can't seem to understand anything else. Is
> there a way to reach people like this, or must we just write them off as
> computing's lost generation? Is there a twelve step program?
One approach I've found is somewhat useful is to answer the specific
vulnerability claim. I've found that this often helps both you and the
'Dozer in question get a clearer picture of GNU/Linux's actual
vulnerability status.
I've found that such responses often fall into the categories of:
- That affects another distro, not mine.
- That affects another kernel, not mine.
- That affects another HW architecture, not mine.
- That affects software I don't have installed.
- That affects a package I've already updated.
- (OpenBSD users only) Yeah, that was preemptively avoided due to a
coding audit three years ago.
... and occasionally:
- Thanks, I've just updated that package, I should be OK now.
Note the other usuals:
- GNU/Linux distributions are generally considered as including far
more software than many other operating systems. Over 6,000
packages in distributions such as Red Hat or SuSE, in excess of
17,000 for Debian. This compares to a few thousand files *total* in
a virgin legacy MS Windows 2000 or XP installation. This is
despite the fact that most installations are only a small subset of
the available packages, and in fact many packages (e.g.: multiple
SMTP or HTTPD servers) conflict and can't normally be installed
simultaneously.
- Disclosure of vulnerabilities tends toward the early, often, and
slight variety in Free Software, a policy often referred to as "full
disclosure". Potential and/or theoretical vulnerabilities are
disclosed (regardless of buffer overflows), and vulnerabilities are
generally disaggregated: mentioned on a per-package, per-distro,
per-hardware platform, per-version basis, such that a single source
vulnerability will be reported multiple times. This is very much
the case, e.g.: with the recent reports of CERT "Unix/Linux" vs. MS
Windows vulnerabilities. GNU/Linux vulnerabilities also (by virtue
of the inclusiveness of distros as noted above) tend to cover a very
large array of software.
- By contrast, Windows vulnerability disclosures tend:
- To be rolled up into aggregated announcements addressing several
applications, operating system releases, and/or environments.
- To be delayed until a fix, or at the very least, a workaround, is
available. Microsoft have very notably criticised several third
party security analysts for making "premature" disclosure.
- To be limited to only the small set of applications actually
associated directly with the operating system distribution. While
this now includes such tied applications as the MSIE
remote-access-and-vulnerabilities engine, third-party vendor
software alerts must be separately researched. My GNU/Linux
systems include comprehensive bugreporting, security alerts, and
comprehensive system updates (no reboots required). Legacy MS
Windows ain't there yet.
Of course, it's interesting to note what your own
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Malpractice makes malperfect.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20060215/d607dc3e/attachment.pgp